Ensures EBS snapshots are encrypted at rest
EBS snapshots should have at-rest encryption enabled through AWS using KMS. If the volume was not encrypted and a snapshot was taken the snapshot will be unencrypted.
Follow the appropriate remediation steps below to resolve the issue.
Log in to the AWS Management Console.
Select the “Services” option and search for EC2.
Scroll down the left navigation panel and choose “Snapshots”.
Select the “Snapshot” that needs to be verified and click on its name from the “Name” column.
Scroll down the page and under “Details” check for “Encrypted”. If the “Encrypted” option is showing “Not Encrypted” then the selected the “EBS Snapshot” is not encrypted.
Repeat the steps number 2 - 5 to check other “EBS Snapshot” in the AWS region.
Select the unencrypted “EBS Snapshot” that needs to be encrypted and click on the “Actions” button at the top panel and click on the “Copy snapshot” option.
In the “Copy Snapshot” dialog box select the box “Encrypt this snapshot” next to “Encryption” and choose the “KMS key” from the dropdown menu.
Click on the “Copy snapshot” button to copy the selected “EBS Snapshot”.
Select the new EBS snapshot and click on the “Actions” button at the top panel and click on the “Create Volume from snapshot” option.
In the “Create Volume” dialog box verify the “Encryption” option is enabled.
Click on the “Create Volume” button to create the new “EBS Encrypted Volume”.
Scroll down the left navigation panel and click on the “Volumes”.
Select the volume that is not encrypted and click on the “Action” button at the top and click on the “Detach Volume”.
In the “Detach Volume” dialog box click on the “Detach” button.
Select the newly encrypted EBS volume and click on the “Action” button at the top and click on the “Attach Volume”.
In the “Attach Volume” dialog box select the EC2 instance and device name for the attachment.
Repeat steps number 7 - 17 to ensure “EBS snapshots” are encrypted at rest.